Wireshark 4.6.6 Fixes ROHC Dissector Crash and Windows Stability Bugs

Wireshark 4.6.6 is now available with a security fix for a ROHC protocol dissector crash and several stability fixes across Windows, protocol parsing, and capture file handling. The Wireshark 4.6.6 release notes list wnpa-sec-2026-51 as the main vulnerability fixed in this update.

The issue affects Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15. According to the Wireshark security advisory, the flaw could allow Wireshark to crash when it processes a malformed packet on the wire or when a user opens a malformed packet trace file.

Wireshark says it is not aware of any exploits for this issue. Even so, network analysts, incident responders, and security teams should update because packet analyzers often process untrusted captures from live networks, customers, partners, or investigations.

What the ROHC dissector bug means

ROHC stands for Robust Header Compression. In Wireshark, a dissector parses protocol data so users can inspect traffic in a readable format. A flaw in that parsing logic can crash the application when it sees malformed input.

The public issue connected to the advisory describes a crash path involving the ROHC dissector, an uncompressed profile, and a large context identifier condition. For everyday users, the practical impact is simpler: Wireshark or TShark may stop working while reading a specially crafted capture.

The risk matters most in environments where analysts open packet captures from outside sources. A malformed file sent to a help desk, SOC team, consultant, or incident responder could disrupt analysis even if it does not provide code execution.

Item	Details
Security advisory	wnpa-sec-2026-51
Affected branch	Wireshark 4.6.0 to 4.6.5
Old stable affected branch	Wireshark 4.4.0 to 4.4.15
Fixed versions	Wireshark 4.6.6 and 4.4.16
Likely impact	Application crash during packet dissection

Wireshark also fixes Windows and parser issues

The update includes more than the ROHC security fix. The release notes also list a MACsec dissector global-buffer-overflow fix, two VeriWave file reader uninitialized memory read fixes, and multiple fuzzing-related crash fixes.

Windows users receive several important fixes. Wireshark 4.6.5 had a compatibility problem that stopped it from running on Windows 10 version 1809, including Server 2019 and some LTSC editions. That issue is fixed in 4.6.6.

The update also resolves a Windows upgrade problem where optional features were not retained unless users explicitly selected them. Another fix addresses a packaging issue that made Wireshark.exe 4.6.5 about twice as large as 4.6.4.

Fix area	What changed in Wireshark 4.6.6
ROHC	Fixed a protocol dissector crash tracked as wnpa-sec-2026-51
MACsec	Fixed a dissector global-buffer-overflow issue
VeriWave	Fixed uninitialized memory reads in file reader code
Windows compatibility	Fixed launch problems on Windows 10 version 1809, Server 2019, and some LTSC systems
Windows installer	Fixed optional feature retention during upgrades
Npcap	Updated bundled Windows capture driver from Npcap 1.87 to Npcap 1.88

Npcap 1.88 is now bundled on Windows

Wireshark 4.6.6 ships with Npcap 1.88 in the Windows installers. The previous Wireshark 4.6.5 installer included Npcap 1.87.

Npcap matters because Wireshark depends on packet capture drivers for live capture on Windows. Users who only open saved captures may notice fewer changes, but analysts who capture live traffic should still prefer the newest installer package.

The official Wireshark download page lists 4.6.6 as the stable release and 4.4.16 as the old stable release. Windows, macOS, Ubuntu, PortableApps, and source code downloads are available from the same page.

Updated protocol and capture file support

No new protocols were added in Wireshark 4.6.6. However, the update refreshes dissector support across BACapp, BPv7, DB/IB GDS DB, Kafka, MACsec, PFCP, RF4CE, ROHC, RTPS-VT, SAPHDB, and SIP.

Capture file support also changed for JSON and VeriWave formats. That matters for teams that use Wireshark or TShark in repeatable analysis workflows, automated packet review, or shared capture repositories.

On Unix systems, Wireshark also documents an extcap location change that became effective in 4.6.0. Extcap binaries now default to the libexec directory, such as /usr/libexec/wireshark/extcap, except on macOS when running from an app bundle.

Who should update first

Security teams should prioritize the update if they regularly inspect untrusted packet captures, run TShark in automated pipelines, or use Wireshark on shared analysis workstations. These users face the highest practical risk from parser crashes caused by malformed input.

The wnpa-sec-2026-51 advisory recommends upgrading to Wireshark 4.6.6, 4.4.16, or later. Organizations that cannot update immediately should avoid opening packet captures from unknown or untrusted sources until they can deploy the fix.

Users who need a fresh installer can use the download page and select the correct package for their platform. Windows users should also check whether their deployment process includes Npcap and optional Wireshark features.

• Update Wireshark 4.6.x installations to 4.6.6 or later.
• Update old stable 4.4.x installations to 4.4.16 or later.
• Do not open packet captures from unknown sources on unpatched systems.
• Patch automated TShark analysis systems that process uploaded captures.
• Review Windows deployment scripts to preserve optional features during upgrades.

Why packet parser bugs deserve attention

Wireshark is widely used for troubleshooting, security investigations, development, and education. The Wireshark FAQ describes it as a network protocol analyzer that lets users capture and browse traffic running on a computer network.

That role makes parser reliability important. Analysts often open packet traces during urgent investigations, and a crash can interrupt work when teams need fast answers.

For most users, Wireshark 4.6.6 is a maintenance and stability update rather than an emergency breach response. However, anyone who handles untrusted capture files should install it promptly because malformed packets and trace files are a realistic attack surface for packet analysis tools.

What Wireshark users should do next

Admins should inventory current Wireshark and TShark versions, update affected systems, and confirm that shared analysis machines no longer run 4.6.0 through 4.6.5 or 4.4.0 through 4.4.15.

Teams should also remind users that saved packet captures can carry risk. The Wireshark FAQ notes that Wireshark runs across Windows, macOS, Linux, and UNIX, so mixed-platform teams should check every environment instead of patching only Windows workstations.

After updating, analysts can resume normal workflows with the fixed ROHC dissector, updated protocol handling, and the bundled Npcap 1.88 driver on Windows.

FAQ